CVE-2023-3758 : A race condition flaw was found in sssd where the GPO policy is not consistently

A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately.

Published 2024-04-18 19:15:09

Updated 2025-02-06 17:15:18

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2023-3758

Please log in to view affected product information.

Exploit prediction scoring system (EPSS) score for CVE-2023-3758

EPSS FAQ

0.10%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 29 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-3758

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.1	HIGH	CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	1.2	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-06
Attack Vector: Adjacent Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.1	HIGH	CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	1.2	5.9	Red Hat, Inc.	2024-04-18
Attack Vector: Adjacent Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-3758

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Assigned by: secalert@redhat.com (Primary)
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Primary)
- secalert@redhat.com (Primary)

References for CVE-2023-3758

https://github.com/SSSD/sssd/pull/7302

ad-gpo: use hash to store intermediate results by sumit-bose · Pull Request #7302 · SSSD/sssd · GitHub
https://access.redhat.com/errata/RHSA-2024:1921

RHSA-2024:1921 - Security Advisory - Red Hat Customer Portal
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XEP62IDS7A55D5UHM6GH7QZ7SQFOAPVF/

[SECURITY] Fedora 39 Update: sssd-2.9.4-2.fc39 - package-announce - Fedora Mailing-Lists
https://access.redhat.com/errata/RHSA-2024:3270

RHSA-2024:3270 - Security Advisory - Red Hat Customer Portal
https://access.redhat.com/errata/RHSA-2024:2571

RHSA-2024:2571 - Security Advisory - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2023-3758

CVE-2023-3758- Red Hat Customer Portal
https://access.redhat.com/errata/RHSA-2024:1920

RHSA-2024:1920 - Security Advisory - Red Hat Customer Portal
https://bugzilla.redhat.com/show_bug.cgi?id=2223762

2223762 – (CVE-2023-3758) CVE-2023-3758 sssd: Race condition during authorization leads to GPO policies functioning inconsistently
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RV3HIZI3SURBUQKSOOL3XE64OOBQ2HTK/

[SECURITY] Fedora 40 Update: sssd-2.9.4-7.fc40 - package-announce - Fedora Mailing-Lists
https://access.redhat.com/errata/RHSA-2024:1922

RHSA-2024:1922 - Security Advisory - Red Hat Customer Portal
https://access.redhat.com/errata/RHSA-2024:1919

RHSA-2024:1919 - Security Advisory - Red Hat Customer Portal
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMORAO2BDDA5YX4ZLMXDZ7SM6KU47SY5/

[SECURITY] Fedora 38 Update: sssd-2.9.4-2.fc38 - package-announce - Fedora Mailing-Lists

Jump to

Vulnerability Details : CVE-2023-3758

Products affected by CVE-2023-3758

Exploit prediction scoring system (EPSS) score for CVE-2023-3758

CVSS scores for CVE-2023-3758

CWE ids for CVE-2023-3758

References for CVE-2023-3758